Short Integer Solution

Short Integer Solution (SIS) is an average-case problem, which was introduced in 1996 by Miklós Ajtai.^[1] He introduced a family of one-way functions based on SIS and showed that SIS is hard to solve on average if a version of the shortest vector problem is hard in a worst-case scenario.

Formal Definition

SIS_n,m,q,β STANDARD

Let matrix ${\displaystyle \mathbf{𝐀}\in {\mathbb{\mathbb{Z}}}_q^{n\times m}}$ be chosen uniformly at random. An adversary is asked to find a short non-zero vector ${\displaystyle \mathbf{𝐬}\in {\mathbb{\mathbb{Z}}}^m}$satisfying ${\displaystyle \mathbf{𝐀}\cdot \mathbf{𝐬}=\mathbf{𝟎}modq\wedge 0<\Vert \mathbf{𝐬}\Vert \le \beta }$.

A solution to SIS without the condition ${\displaystyle \Vert \mathbf{𝐬}\Vert \le \beta }$ can be found using Gaussian elimination. Thus, the condition ${\displaystyle \beta <q}$ is required as otherwise ${\displaystyle (q,0,\dots ,0)\in {\mathbb{\mathbb{Z}}}^m}$ is a trivial solution.

ISIS_n,m,q,β - Inhomogeneous SIS EQUIVALENT

Let matrix ${\displaystyle \mathbf{𝐀}\in {\mathbb{\mathbb{Z}}}_q^{n\times m}}$and target vector ${\displaystyle \mathbf{𝐭}\in {\mathbb{\mathbb{Z}}}_q^n}$ be chosen uniformly at random. An adversary is asked to find a short vector ${\displaystyle \mathbf{𝐬}\in {\mathbb{\mathbb{Z}}}^m}$satisfying ${\displaystyle \mathbf{𝐀}\cdot \mathbf{𝐬}=\mathbf{𝐭}modq\wedge \Vert \mathbf{𝐬}\Vert \le \beta }$.

The inhomogeneous version of SIS introduces a target vector ${\displaystyle \mathbf{𝐭}\in {\mathbb{\mathbb{Z}}}_q^n}$, which is chosen uniformly at random. The probability of ending up in the homogeneous case with ${\displaystyle \mathbf{𝐭}=\mathbf{𝟎}}$ happens with probability ${\displaystyle q^{-n}}$, which allows removing the condition of ${\displaystyle \mathbf{𝐬}}$ being non-zero.

ISIS is as hard as SIS. A SIS instance can be reduced to ISIS using the last column of ${\displaystyle \mathbf{𝐀}}$ as target vector for ISIS. Any solution ${\displaystyle \mathbf{𝐬}\in {\mathbb{\mathbb{Z}}}^{m-1}}$ to the ISIS instance with challenge matrix ${\displaystyle {\mathbf{𝐀}}_{[1:m-1]}}$ and target vector ${\displaystyle {\mathbf{𝐚}}_m}$ yields a valid SIS solution ${\displaystyle ({\mathbf{𝐬}}^T,-1)\in {\mathbb{\mathbb{Z}}}^m}$ of slightly larger norm. The reduction from ISIS to SIS requires index guessing a non-zero entry in the SIS solution and embedding the target vector at this position in the challenge matrix ${\displaystyle \mathbf{𝐀}}$.

NFSIS_n,m,q,β - Normal Form SIS EQUIVALENT

Let matrix ${\displaystyle \overline{\mathbf{𝐀}}\in {\mathbb{\mathbb{Z}}}_q^{n\times m-n}}$ be chosen uniformly at random and define ${\displaystyle \mathbf{𝐀}=\left[\begin{array}{cc}{\mathbf{𝐈}}_n& \overline{\mathbf{𝐀}}\end{array}\right]}$. An adversary is asked to find a short non-zero vector ${\displaystyle \mathbf{𝐬}\in {\mathbb{\mathbb{Z}}}^m}$satisfying ${\displaystyle \mathbf{𝐀}\cdot \mathbf{𝐬}=\mathbf{𝐭}modq\wedge 0<\Vert \mathbf{𝐬}\Vert \le \beta }$.

TODO

Analysis of Assumption

List of Reductions from other problems as well as cryptanalysis performed on SIS. Answer: Why is this problem hard to solve for a (quantum) computer / why should anyone believe that it is hard?

Constructions based on SIS

List of constructions built from SIS (with non-extensive list of citations)

• Signatures
• (Vector) Commitments

Related Assumptions

• k-SIS
• List of closely related assumptions - either because there is a reduction from

See also

• Space to list links which should be of further interest for people interested in SIS

References